Tabletop Exercise
Mobilizing NIMS (National Incident Management System) ICS (Incident Command System) for Industrial Control Systems/Operational Technology
April 20-22, 2026 | Georgia Tech Exhibition Hall | MidTown, Main Stage
Mon/Wed: 7:45-8:45am | Tue: 8-10a | Wed Lessons Learned: 2-2:30p
(In-person participation requires at least a Day Pass to the conference) Open to anyone to observe or participate with registration recommended, but not required, this tabletop exercise is designed to introduce the value of ICS4ICS, a standardized, scalable framework for responding to cyber-physical attacks on critical infrastructure. Participation earns you extra challenge coin points and meets the exercise requirement for Type 4 ICS4ICS credentialing, in addition to 12 hours of FEMA training on the Incident Command System.
Led By:
UTSI, ICS4ICS, ThreatGen, MITRE
Scenario Overview
Oil/Gas/Airport OT/ICS Incident Response TTX
UTSI will facilitate a four-part cybersecurity tabletop exercise simulating a cyber-physical incident impacting an airport’s IT and Operational Technology (OT) environment, with specific focus on SCADA systems and oil and gas feeder systems supporting airport fueling operations. The scenario highlights the interconnectivity of airport IT and OT systems, the operational and safety implications of disrupted fuel distribution, and the complexity of coordinating response across multiple stakeholders.
The exercise leverages the National Incident Management System (NIMS) and Incident Command System (ICS), including ICS4ICS coordination, to demonstrate structured yet flexible response models for cyber incidents affecting critical infrastructure. Participants will explore how NIMS principles—particularly scalability and adaptability—complement technical cybersecurity frameworks such as NIST SP 800-61r3, NIST SP 800-82, IEC 62443, and MITRE ATT&CK.
Conducted over three morning sessions and one afternoon session, each day focuses on a distinct dimension of the incident:
Day 1 – Scenario Framing & Command Structure:
Establishes the operational landscape, introduces the threat scenario, defines roles and responsibilities, and stands up the ICS structure. Emphasis is placed on aligning NIMS/ICS constructs with established cyber incident response frameworks. Includes a guest speaker on NIMS ICS and ICS4ICS coordination.
Day 2 – Technical Incident Response:
Focuses on the end-to-end cyber response lifecycle—identify, detect, respond, and recover—within an airport OT/ICS context. Addresses IT vs. OT considerations, SCADA impacts, fuel supply dependencies, and evolving threat tactics. Includes a guest speaker from MITRE.
Day 3 – Business, Risk, and Governance Impacts:
Examines enterprise-level implications, including operational risk, regulatory and compliance considerations, insurance impacts, public relations, and governance, risk, and compliance (GRC) processes. Includes a guest speaker on cyber insurance.
Day 3 evening- Closeout and Lessons Learned: The exercise concludes with a facilitated report-out and lessons learned session, capturing key observations across operational, technical, and business domains. A closing segment will recognize participant contributions through superlative awards.